JPH10210024A - Cipher communication system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To realize a cipher communication system which prevents a third user from impersonating a legal user and doesn't require preparatory communication with a destination station at the time of sharing a key. SOLUTION: A key generation center 101 outputs secret keys Y(A) and Y(B) and public information T to ID information X(A) and X(B) as public keys of users A and B. When communicating with the user B, the user A outputs a shared key K(A, B) in accordance with the secret key Y(A) of the user A, ID information X(B) as the public key of the user B, and public information T. The user B outputs the shared key K(B, A) in accordance with the secret key Y(B) of the user B, ID information X(A) as the public key of the user A, and public information T, and cipher communication is performed by these shared keys K(A, B) and K(B, A).

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a cryptographic communication system for performing cryptographic communication by sharing cryptographic keys between users.

[0002]

2. Description of the Related Art The prior art of this type of cryptographic communication system is disclosed in the following document. W. Diffie,
ME Hellman, “New Directions in Cryptography”,
IEEE Trans. On Info. Theory, Vol. IT-22, No.6, No
v. 1976

FIG. 2 is an explanatory diagram of an encryption communication system disclosed in the above-mentioned document. The figure shows a common key K (A, B) = K commonly used by the user A and the user B when performing the encrypted communication.
The procedure for generating (B, A) is described.

[0004] First, user A is secret key Y of user A.
(A) is input to the first key generation device 201-A. First
The key generation device 201-A of the user A generates the public key X (A) of the user A.
= G ＾ Y (A) (mod.q) and the communication path 203
Is transmitted to the user B, which is the communication partner, via.

[0005] Similarly, the user B sends the first key generation device 20
In 1-B, the secret key Y (B) of the user B is converted to the public key X (B).
Is calculated, and the public key X (B) is transmitted to the user A.
User A has a secret key Y (A) secretly stored by user A.
And the public key X (B) of the user B received from the user B via the communication path 203, to the second key generation device 202-A.
To enter. The second key generation device 202-A outputs K (A,
B) = X (B) ＾ Y (A) (mod.q) = g ＾ ｛Y
(B) Generate Y (A)｝ (mod.q). Similarly,
Also on the user B side, the second key generation device 202-B transmits
(B, A) = X (A) {Y (B) (mod.q) = g}
Generate {Y (A) Y (B)} (mod.q).

In the above-described method, the user A and the user B secretly share the common key K via the communication path 203 that can be eavesdropped by a third party.
(B, A) = K (A, B) can be shared, and data can be encrypted / decrypted using this secret key.

[0007]

However, since the above-mentioned conventional cryptographic communication system is configured as described above, the third user C can easily impersonate the user A or the user B and illegally obtain the key. There was a problem that they could be shared. Further, in the conventional cryptographic communication system, there is a problem that preliminary communication with the partner station is required at the time of key sharing and cannot be applied to one-way mail communication such as electronic mail.

[0008] In view of the above, it has been desired to realize a cryptographic communication system that prevents impersonation by a third user and that does not require preliminary communication with a partner station during key sharing.

[0009]

The present invention employs the following structure to solve the above problems. <Structure of Claim 1> In an encryption communication system in which an encryption device and a decryption device use the same common key to encrypt and decrypt communication data, public information T commonly used by each user is stored. Output, and set any user to User A
, A key generation center that outputs the secret key Y (A) of the user A with respect to the public key X (A) of the user A, the secret key Y (A) of the user A, From the public key X (B) of the user B as a communication partner of the user A and the public information T,
A cryptographic communication system comprising: a common key generation device that outputs a common key K (A, B) between the user A and the user B.

<Explanation of Claim 1> The secret key Y (A) and the public information T output from the key generation center are shared by the secret key Y (A) of the user A (or the user B) in the common key generation device.
(Or a secret key Y (B)) and a public key X (B) (or X (A)) of a user B (user A) with which the user A (or user B) communicates. From the public information T,
Common key K (A, B) between user A and user B
(Or K (B, A)). Also, regarding the configuration of the key generation center, these secret keys Y
Any device that can output (A) and Y (B) may be used.

Since the invention of claim 1 is configured as described above, there is no need to communicate with the other party to generate a common key, and therefore, it is possible to prevent impersonation by a third user. In addition, since key exchange does not require preliminary communication with the other party, the present invention has an effect that the present invention can be applied to one-way mail communication such as electronic mail.

<Structure of Claim 2> In claim 1, the key generation center determines the values N, G, δ satisfying the following equation (1).
The operation using the secret key Y (A) or the public information T
This is a cryptographic communication system characterized by being used for generation of. For any k> 0, G ＾ (δ + k) ≡G ＾ k (mod.N) (1) where ＾ represents a power operation, and a≡b (mod.q)
Represents that a and b are congruent modulo q.

<Explanation of Claim 2> The invention of claim 2 shows the above relationship among N, G, and δ. Due to such a relationship, in various processes of the cryptographic communication system, operations utilizing the following properties can be used. For any a, b> 0 that satisfies a≡b (mod. δ), G ＾ a≡G ＾ b (mod. N)

<Structure of Claim 3> In Claim 2, the key generation center or the common key generation device is a cryptographic communication system characterized by performing a process including a remainder operation modulo N.

<Explanation of Claim 3> Claim 3 expresses equation (1).
The present invention includes a process of obtaining a remainder obtained by dividing some value by N that satisfies the following relationship.

<Structure of Claim 4> The cryptographic communication system according to Claim 2, wherein the key generation center performs a process including an operation of raising G to the power.

<Explanation of Claim 4> Claim 4 expresses equation (1).
The following is an invention showing that an operation for raising G to a power is performed on G satisfying the following relationship.

<Structure of Claim 5> In claim 1, the key generation center determines, for a certain value δ, two values x and y or y and z satisfying the relationship of the formula (2) or (3). Is used for generation of a secret key Y (A) or generation of public information T. xy≡0 (mod. δ) (2) yz≡0 (mod. δ) (3)

<Explanation of Claim 5> According to the invention of claim 5, two values, such as x and y or y and z, in which a remainder obtained by dividing a product operation value by δ is 0, are used for key generation or public information T. It shows that it is used for calculation. Here, x, y, and z may be any values as long as the relationship with δ satisfies this condition.

<Structure of Claim 6> In claim 5, the key generation center determines (x + y) for x and y or y and z.
A cryptographic communication system characterized in that an operation including an arbitrary power of y) or an arbitrary power of (y + z) is used for generating public information T.

<Explanation of Claim 6> According to the invention of claim 6, for example, e _i = (x + y) ＾ r _i + s _i δ in equation (4)
(Mod.M) in the (x + y) ^ and r _i, represents an operation of an expression _{(5) d i = (y} + z) ^ t i + u i δ (mod.M) in the (y + z) ^ t _i However, a configuration used for other calculations may be used.

<Structure of Claim 7> The cryptographic communication system according to claim 5, wherein the key generation center performs a process including an operation of raising x and y or y and z to the power.

<Explanation of Claim 7> The invention of claim 7 is based on, for example, G _f (A) = G ＾ ｛x ＾ F (X
(A)) + y {H (X (A))} (mod. N)
The calculation of x ＾ F (X (A)) and y ＾ H (X (A)), or _Gh (A) = G ＾ ｛y ＾ F (X (A)) which is the equation (7)
+ Z ＾ H (X (A))｝ (mod.N), y ＾ F
Although the calculation of (X (A)) and z ＾ H (X (A)) is shown, a configuration used for other calculations may be used.

<Structure of Claim 8> In Claim 7, the key generation center performs a process including an operation of adding a term including a result obtained by raising x and y or y and z to the powers. Is a cryptographic communication system characterized by the following.

<Explanation of Claim 8> The invention of claim 8 is based on the calculation of x ＾ F (X (A)) + y ＾ H (X (A)) in equation (6), or in equation (7). Y ＾ F (X (A)) + z ＾ H
Although the calculation of (X (A)) is shown, a configuration used for other calculations may be used.

<Structure of Claim 9> According to claim 2 or 5, the key generation center performs an operation including a remainder operation modulo a multiple of δ to generate a secret key Y (A) or generate public information T. This is a cryptographic communication system characterized by being used for:

<Explanation of Claim 9> The invention of claim 9 uses δ that satisfies the relationship shown in the formula (1) of claim 2 or the formula (2) or (3) of claim 5, This indicates that the key operation and the creation of the public information T are performed by performing the remainder operation modulo. Here, the multiple of δ includes one time. As such a remainder operation, for example, equation (6)
X ＾ F (X (A)) + y ＾ H (X
(A)) or y ＾ F (X (A)) in equation (7)
+ Z ＾ H (X (A)) is calculated modulo δ,
Further, there is a case where equations (4) and (5) are calculated by using any multiple of δ as a modulus.

<Structure of Claim 10> In Claim 4,
The key generation center is a cryptographic communication system characterized by performing, as a power-of-G operation, an operation of an exponent used for the power-of-G operation under a remainder by a modulus δ.

<Explanation of Claim 10> According to the invention of claim 10, as the processing including the exponentiation of G in claim 4, an exponent part for exponentiation of G is constituted by some operation, and the operation of this exponent part is performed. Is performed under the remainder by the modulus δ as described in claim 9. As such a remainder operation, the exponent part (x
The calculation of ＾ F (X (A)) + y ＾ H (X (A)) may be performed with a remainder by the modulus δ.

<Structure of Claim 11> The cryptographic communication system according to claim 2 or 5, wherein the key generation center generates the public information T using an arbitrary multiple of δ.

<Explanation of Claim 11> An arbitrary multiple of δ indicates, for example, s _i δ, u _i δ or M in equations (4) and (5). There may be.

<Structure of Claim 12> In Claim 6,
The key generation center uses a process including an operation of adding a term including an arbitrary power of (x + y) or an arbitrary power of (y + z) and a term including an arbitrary multiple of δ for generating the public information T. Is a cryptographic communication system characterized by the following.

<Explanation of Claim 12> The twelfth aspect of the present invention relates to an operation of the sixth aspect of the invention, which includes an operation of adding a term including an arbitrary multiple of δ shown in the eleventh aspect of the invention. It was done.

[0034] In claim 12 <Configuration of claims 13>, the key generation center, formula (4) or the formula (5) to the e _i or d _i obtained by the calculation by outputting included in the public information T indicating Is a cryptographic communication system characterized by the following. e _i = where _{(x + y) ^ r i} + s i δ (mod.M) ... (4) d i = (y + z) ^ t i + u i δ (mod.M) ... (5), M is any of δ It is a multiple. Also, r _i s
_i , t _i , and u _i are arbitrary numbers.

<Explanation of Claim 13> The invention of claim 13 shows that the operation of the invention of claim 12 is Expressions (4) and (5). The remainder operation is performed modulo an arbitrary multiple.

<Structure of Claim 14> In claim 2 or 5, the key generation center sets an arbitrary multiple of δ to the public information T.
And an output.

<Explanation of Claim 14> An arbitrary multiple of δ in claim 14 is, for example, M. Where M = δε
If δ and ε each include a large prime factor in the factor, and M is selected so that the prime factorization of M becomes difficult, M can be output as the public information T.

<Structure of claim 15> In claim 14, the common key generation apparatus uses a process including a remainder operation modulo an arbitrary multiple of δ for generation of the common key K (A, B). Is a cryptographic communication system characterized by the following.

<Explanation of Claim 15> The invention of claim 15 uses an arbitrary multiple of δ included in the public information T, and uses a symmetric key generation apparatus on the user side to generate an arbitrary δ such as M, for example. This indicates that the remainder operation is performed modulo a multiple.

<Structure of Claim 16> In Claim 1,
The key generation center or the common key generation device is a cryptographic communication system including a one-way function calculation unit as a component.

<Explanation of Claim 16> The one-way function calculating means in claim 16 indicates that the calculation is performed using a one-way function whose input cannot be easily estimated from the output.

<Structure of Claim 17> In Claim 16, the key generation center or the common key generation device is a cryptographic communication system characterized by including two or more types of one-way function operation means as constituent elements. .

<Explanation of Claim 17> The two or more kinds of one-way function calculating means in claim 17 are, for example, f, h
This is an operation means using a one-way hash function.

<Structure of Claim 18> In any one of claims 1 to 17, the public key X (A) of the user A is used as ID information for another user to uniquely specify the user A. It is a cryptographic communication system characterized by the following.

<Explanation of Claim 18> ID information is information such as a user's name, address, and e-mail address. In this way, by using the public key as the ID information, it is possible to prevent the third user from impersonating the communication user.

<Structure of Claim 19> In Claim 1,
The key generation center or the common key generation device obtains m outputs that are predetermined values from the input of the user A's public key X (A) or a result calculated based on the public key X (A). A cryptographic communication system comprising means.

[0047] a processing means for obtaining m output in claim 19 <Description of claims 19> is, for example, f _i and h _i.

<Structure of Claim 20> In claim 19, the key generation center or the common key generation device performs an operation based on the input public key X (A) or public key X (A) of the user A input. A cryptographic communication system comprising means for obtaining a predetermined m digits when the result is expressed by an n-ary number as m outputs.

<Explanation of Claim 20> In claim 20, as an example of a means for obtaining m outputs from one input, means for converting a predetermined m digits when expressed in n-ary into m outputs is used. Is shown. Here, n is 2, for example, but may be another value.

<Structure of Claim 21> The cryptographic communication system according to claim 19, wherein each of the processing means for obtaining m outputs is a binary output.

<Description of Claim 21> The invention of claim 21 shows that the m output values shown in the invention of claim 19 are binary outputs such as only 0 or 1.

<Structure of Claim 22> In Claim 19, a predetermined number m from the public key X (A) of the user A inputted.
The cryptographic communication system is characterized in that the processing means for obtaining the number of outputs is one-way.

<Explanation of Claim 22> According to the invention of claim 22, the processing means for obtaining m outputs in claim 19 is:
It is shown that it is configured using a one-way function calculating means as described in claim 16. That is, the obtained m
Public key X of the user A who became the input from this output
It is shown that the estimation of (A) is configured to be difficult.

<Structure of Claim 23> In any one of Claims 3, 4 and 8, the key generation center uses the formula (6) as a secret key Y (A) for the public key X (A) of the user A.
Alternatively, a cryptographic communication system characterized by outputting information including a calculation result of G _f (A) or G _h (A) generated by the calculation of Expression (7). G _f (A) = G ＾ ｛x ＾ F (X (A)) + y ＾ H (X (A))｝ (mod.N) (6) G _h (A) = G ＾ ｛y ＾ F ( X (A)) + z ＾ H (X (A))｝ (mod.N) (7) where F and H are predetermined functions for the public key X (A).

<Explanation of Claim 23> The invention of claim 23 is the remainder operation modulo N in claim 3;
, And x in claim 8
Equations (6) and (7) specifically show operations for adding a term including a result obtained by powering y and y or y and z to the power.

<Structure of Claim 24> In claim 23, the key generation center generates G _f generated by the calculation of the equations (6) and (7) for the public key X (A) of the user A.
A pair of (A) and G _h (A) is defined as a secret key Y (A) = (G
_f (A), _Gh (A)).

<Explanation of Claim 24> The invention of claim 24 is a combination of G _f (A) and G _h (A) described in the invention of claim 23.
Are set as the secret key Y (A).

<Structure of Claim 25> In claim 19, the key generation center outputs m outputs output for a certain public key X by f _i (X) (0 ≦ i <m) or h
_{Using i} (X) (0 ≦ i <m) and using a function F or H as in equation (8) or equation (9) using these f _i (X) or h _i (X). Is a cryptographic communication system. _{F (X) = Σ i {} r i f i (X)} ... (8) H (X) = Σ i {t i h i (X)} ... (9) However, sigma _i from i = 0 m Represents the sum up to -1. Here, f _i (X) and h _i (X) (0 ≦ i <m) are m outputs output for the public key X, respectively. Each of the m r _i t _i (0 ≦ i <m) is arbitrary.

<Explanation of Claim 25> According to the invention of claim 25, m output values obtained by a processing means for obtaining m outputs are used for functions such as equations (8) and (9). It is shown that.

<Structure of Claim 26> In claim 23, the key generation center uses the function of the following expression (8) or (9) as the function F or H in the expression (6) or (7). An encryption communication system characterized by the above-mentioned. _{F (X) = Σ i {} r i f i (X)} ... (8) H (X) = Σ i {t i h i (X)} ... (9) However, sigma _i from i = 0 m Represents the sum up to -1. Here, f _i (X) and h _i (X) (0 ≦ i <m) are m outputs output for the public key X, respectively. Each of the m r _i t _i (0 ≦ i <m) is arbitrary.

<Explanation of Claim 26> The invention of claim 26 is based on the following formula (6) or (7):
This shows that F (X) or H (X) shown in the twenty-fifth aspect of the present invention is used.

<Structure of Claim 27> In claim 13, the key generation center uses m r _i (0 ≦ i <m) or t _i (m) used in the calculation of the following expression (8) or (9). 0 ≦ i
<M), m pieces of e _i (0 ≦ i <m) or d _i (0 ≦ i <) obtained by the calculation of Expression (4) or (5).
m) is included in public information T and output. _{F (X) = Σ i {} r i f i (X)} ... (8) H (X) = Σ i {t i h i (X)} ... (9) However, sigma _i from i = 0 m Represents the sum up to -1. Here, f _i (X) and h _i (X) (0 ≦ i <m) are m outputs output for the public key X, respectively. Each of the m r _i t _i (0 ≦ i <m) is arbitrary.

<Explanation of Claim 27> The invention of claim 27 is based on the expression (4) or (5) shown in the invention of claim 13.
Expression (8) or Expression (9) shown in the twenty-fifth aspect of the present invention.
Is defined.

<Structure of Claim 28> In Claim 1,
A cryptographic communication system characterized in that a common key generation device of an arbitrary user A performs a process including an operation of raising the information obtained as the secret key Y (A) of the user A or partial information thereof to a power. is there.

<Explanation of Claim 28> The partial information in the invention of claim 28 is, for example, G _f (A) in equation (10).
And G _h (A).

<Structure of Claim 29> In Claim 1,
The common key generation device of an arbitrary user A converts a plurality of pieces of partial information of the information obtained as the secret key Y (A) of the user A into
A cryptographic communication system characterized by performing processing including a product operation of results of predetermined operation processing.

<Explanation of Claim 29> The product operation in the invention of claim 29 is, for example, G _f (A) ＾ in equation (10).
{ _I [e _i {f _i (X (B))]} and G _h (A)}
_{{Π i [d i ^ h} i (X (B))]} is a product operation with, or may be other than this product operation.

<Structure of claim 30> In claim 28, as the exponent of the exponentiation operation, e _i or d which is the operation result of the following equation (4) or (5) included in the public information T
A cryptographic communication system characterized in that a common key is generated using a result obtained by performing an operation based on _i . e _i = where _{(x + y) ^ r i} + s i δ (mod.M) ... (4) d i = (y + z) ^ t i + u i δ (mod.M) ... (5), M is any of δ It is a multiple. Also, r _i s
_i , t _i , and u _i are arbitrary numbers.

<Explanation of Claim 30> According to the invention of claim 30, the operation result of the equation (4) or the equation (5) outputted by the key generation center included in the public information T is output. , In the exponent part of the exponentiation operation in claim 28.

<Structure of Claim 31> In Claim 19, the common key generation device includes two pieces of information G included in the secret key Y (A) of the user A having the common key generation device.
_f (A) and G _h (A) and m pieces of e _i and d _i (0 ≦ i <m) included in the public information T, respectively, and the user A
With respect to the public key X (B) of the user B as the communication partner of
M outputs f _i (X (B)) and h _i (X
(B)) (0 ≦ i <m) and the following equation (1)
This is a cryptographic communication system characterized by generating a common key K (A, B) by the operation of (0). K (A, B) = G f (A) ^ {Π i [e i ^ f i (X (B))]} · G h (A) ^ {Π i [d i ^ h i (X (B ))]} (mod.N) ... (10) However, [pi _i represents the product from i = 0 to m-1. Here, G _f (A) and G _h (A) are two pieces of partial information included in the secret key Y (A), f _i (X (B)) and h _i (X
(B)) (0 ≦ i <m) are m outputs for the public key X (B), respectively.

<Explanation of Claim 31> In the invention of claim 31, the m outputs in claim 19 are represented by f _i (X
(B)), h _i (X (B)) (0 ≦ i <m), and the operation of raising the partial information of the secret key in claim 28 to a power and the product operation in claim 29 are expressed by the following equation (10). ) Indicates that processing is performed.

<Structure of Claim 32> In Claim 1,
The key generation center discloses N indicating the relationship of the following equation (1) and m pieces of e _i and d _i (0 ≦ i <m) obtained as the calculation results of the following equations (4) and (5). The secret key Y (A) = (G _f (A), G _h (A)) corresponding to the public key X (A) of an arbitrary user A is output by being included in the information T and is expressed by the following equation (6). , (7), and the common key generation device generates
Using the secret key Y (A) of the user A and the public key X (B) of the user B with which the user communicates, the following equation (10) is used.
To generate a common key K (A, B) by the calculation of For any k> 0, G ＾ (δ + k) ≡G ＾ k (mod.N) (1) where ＾ represents a power operation, and a≡b (mod.q)
Represents that a and b are congruent modulo q. e _i = where _{(x + y) ^ r i} + s i δ (mod.M) ... (4) d i = (y + z) ^ t i + u i δ (mod.M) ... (5), M is any of δ It is a multiple. Also, r _i s
_i , t _i , and u _i are arbitrary numbers. G _f (A) = G ＾ ｛x ＾ F (X (A)) + y ＾ H (X (A))｝ (mod.N) (6) G _h (A) = G ＾ ｛y ＾ F ( X (A)) + z ＾ H (X (A))｝ (mod.N) (7) where x, y, and z in equations (4), (5), (6), and (7) are It satisfies the relations of equations (2) and (3). xy≡0 (mod.δ) (2) yz≡0 (mod.δ) (3) Further, F and H are given by the following equations (8),
It is a function like (9). _{F (X) = Σ i {} r i f i (X)} ... (8) H (X) = Σ i {t i h i (X)} ... (9) However, sigma _i from i = 0 m Represents the sum up to -1. Here, f _i (X) and h _i (X) (0 ≦ i <m) are m outputs output for the public key X, respectively. K (A, B) = G f (A) ^ {Π i [e i ^ f i (X (B))]} · G h (A) ^ {Π i [d i ^ h i (X (B ))]} (mod.N) ... (10) However, [pi _i represents the product from i = 0 to m-1. Here, G _f (A) and G _h (A) are two pieces of partial information included in the secret key Y (A), f _i (X (B)) and h _i (X
(B)) (0 ≦ i <m) are m outputs for the public key X (B), respectively.

<Explanation of Claim 32> The invention of claim 32 defines the contents of the calculation on the key generation center and the user side. That is, the invention has the configuration of the key generation center described in the inventions of claims 24 and 27, and the configuration of the common key generation device described in claims 30 and 31.

<Structure of claim 33> In claim 31, the symmetric key generation apparatus is configured to calculate G _f (A) in equation (10).
Alternatively, the cryptographic communication system is characterized in that a product at an exponent part of a power operation of G _h (A) is calculated by repeating a power under a remainder of the modulus N.

<Explanation of Claim 33> The invention of claim 33 is based on, for example, a ＾ ｛bc｝ ≡ ｛a ＾ b (mod.N)｝
＾ c (mod. N). Thus, by calculating the remainder by the modulus N for each exponentiation, the calculation can be performed by repeating the calculation of a number of the order of N.

<Structure of Claim 34> In claim 33, the symmetric key generation device sets f _i (X
(B)) or when the output of the h _i (X (B)) was _{0, e i ^ f i (} X (B)) or d _i ^ h _i (X
This is a cryptographic communication system characterized in that exponentiation processing using (B)) as an exponent is omitted.

<Explanation of Claim 34> According to the invention of claim 34, for example, when the output of f _i or h _i becomes 0,
Since e _i ＾ f _i (X (B)) = 1, e _i ＾ f _i
This indicates that the exponentiation process using (X (B)) as an index becomes unnecessary. Here, _i in f _i and h _i means any value from 0 to m−1.

<Structure of Claim 35> In Claim 34, the symmetric key generation device sets f _i (X
(B)) or the output of h _i (X (B))
When the output value is 0, the exponentiation process is performed using e _i ＾ f _i (X (B)) or d _i ＾ h _i (X (B)) as an index. A cryptographic communication system is omitted, and when the output value is 1, it is performed as a power processing by e _i or d _i .

<Explanation of Claim 35> According to the invention of claim 35, as described in the invention of claim 21, when the processing means for obtaining m outputs is a binary output, the output value is 0. If e _i
omitted exponentiation processing to f _i (X (B)) or d _i ^ h _i a (X (B)) index, the if the output value is 1 may be treated as exponentiation process by e _i or d _i Is shown.

<Structure of Claim 36> In any one of claims 1 to 35, the apparatus has a random number generation device and means for transmitting a random number generated by the random number generation device to a communication partner. A random key is input in addition to the secret key Y (A) of the user A and the public key X (B) of the user B, and the common key K is calculated.
(A, B) is output.

<Explanation of Claim 36> The invention of claim 36 is
A configuration using a random number is added to any one of the inventions according to claims 1 to 35. Thus, a different common key is shared between the user A and the user B every time the key is shared.

[0082]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Embodiments of the present invention will be described below using specific examples.

<Embodiment 1> FIG. 1 is a block diagram showing Embodiment 1 in the cryptographic communication system of the present invention. The illustrated system includes a key generation center 101, a common key generation device 102-
A, 102-B, encryption device 103, decryption device 104
Consists of

The key generation center 101 outputs the public information T commonly used by each user, and, for example, when an arbitrary user is assumed to be the user A, the public key (ID information) of the user A It has a function of outputting the secret key (secret information) Y (A) of the user A to X (A). The common key generation devices 102-A, 102-B respectively
User B's secret keys Y (A), Y (B) and user A, user B as a communication partner of user B, and public key X of user A
(B), X (A) and the public information T, the common keys K (A, B) and K (B, A) between these users A and B.
Output function.

Further, the encryption device 103 applies the common key K generated by the common key generation device 102-A to the communication data.
This is a device that performs encryption using (A, B), and the decryption device 104 applies the common key generation device 1 to the encrypted data.
This is a device that performs decryption using the common key K (B, A) generated in 02-B. In the following, the common key generation device 102-
The configuration common to A and 102-B will be described as a common key generation device 102.

In such a cryptographic communication system, first, a user of the cryptographic communication system transmits ID information by which other users can uniquely identify the user to the key generation center 10.
Enter 1 As a result, the key generation center 101 performs predetermined processing described later, outputs secret information (secret key) that the user keeps secret, and the user receives this.
Here, the ID information is, for example, a name, an address, an e-mail address, and the like. This procedure is performed only once when a user of the cryptographic system subscribes to this system.

Next, when performing encrypted communication with another user, the secret information received from the key generation center 101 and the ID information of the communicating party are input to the common key generation device 102 held by the user. I do. The common key generation device 102 generates and outputs a common key with a communication partner. The user uses the common key as a key for encrypted communication and performs encrypted communication with the other party.

Next, the operation of each component will be described in detail with reference to FIG. First, the key generation center 101 prepares the following parameters before starting operation of the system.

N Normally, N is a composite number whose factorization is difficult. For example, as a product of large prime numbers P and Q, N = PQ
And G, δ Here, G and δ satisfy the relationship of the following equation (1) with respect to N. For any k> 0, G ＾ (δ + k) ≡G ＾ k (mod.N) (1) where ＾ represents a power operation, and a≡b (mod.q)
Represents that a and b are congruent modulo q. still,
“A and b are congruent modulo q” means that “the remainder obtained by dividing by the value q is equal to a and b”.

For example, G and δ can be selected as follows. The Carmichael function of N is L = λ (N)
And For example, when N = PQ (P and Q are prime numbers), L = λ (N) = 1 cm (P−1, Q−1).
Here, 1 cm (a, b) represents the least common multiple of a and b.

L is g that is relatively prime to N, ie, gcd
For g where (g, N) = 1, the following relationship is satisfied: g あ る L≡1 (mod.N). Here, gcd (a, b) represents the greatest common divisor of a and b.

With respect to the above L, γ is set so that L = γδ.
And δ, and by g disjoint with N, G {g}
If γ (mod. N), the relationship of the above equation (1) is satisfied. If g is chosen relatively prime to N, equation (1) gives k =
The same holds for 0. For example, when N = PQ (P and Q are prime numbers), g can be selected to be a primitive element on GF (P) and GF (Q).

X, y, z where x, y, and z are the following equations (2) with respect to the above δ:
It is assumed that the relationship of (3) is satisfied. xy≡0 (mod. δ) (2) yz≡0 (mod. δ) (3)

For example, by using α and β such that δ = αβ, and letting x = x′α, y = y′β, z = z′α,
The relations of the above equations (2) and (3) are satisfied. At this time,
x ', y', z 'may be random numbers.

F, h, n, or m pieces of f _i , h _i (0 ≦ i <m) f and h are one-way hash functions. Where 0 ≦
f (X), h (X) <n ＾ m. The one-way hash function is a function in which the output can be easily obtained from the input, but it is difficult to estimate the input from the output.

At this time, the i-th digit when f (X) and h (X) are represented by an n-ary number of m digits or less is f _i
(X), h _i (X) (0 ≦ i <m). Where 0
≦ f _i (X), which is _{h i (X) <n (} 0 ≦ i <m). _{That, f (X) = Σ i} {f i (X) n ^ i}, h
(X) = a _{Σ i {h i (X)} n ^ i}. Where Σ
_i represents the sum of i = 0 to m-1.

N denotes f (X), h (X), f _i
(X), h _i (X) (base number when decomposed into 0 <i <m). Usually, n = 2. Instead of f, h and n, m one-way function groups f _i , h _i (0 ≦ i
It may be considered that only <m) exists.

· Each of m r _i and t _i (0 ≦ i <
m) r _i and t _i may each be a random number.

M e _i , d _i (0 ≦ i <
m) where e _i and d _i are obtained by calculation as in the following equations (4) and (5). e _i = where _{(x + y) ^ r i} + s i δ (mod.M) ... (4) d i = (y + z) ^ t i + u i δ (mod.M) ... (5), M is any of δ It is a multiple.

Here, M is M = δε, that is, the product of δ and ε. However, ε may be a random number. For example, ε
May be the same as γ when L = γδ (ε = γ), in which case M = L. Further, m s _i and u _i (0 ≦ i <m) may be random numbers.

Of the parameters described above, G, δ,
x, y, z, and each of m r _i , t _i (0 ≦ i
<M) is secretly stored inside the key generation center 101. On the other hand, N and m e _i , d _i (0 ≦ i <
m) and the functions f, h and the radix n (or m functions f _i , h _i , respectively) are public information T, which is information that can be disclosed and used by the common key generation device 102 of each user. is there. The public information T may be provided so that it can be used in the common key generation device 102 of each user. The public information T may be incorporated in the common key generation device 102 or may be secretly delivered to only the user together with the secret key. It does not need to be public except for the common key generation device 102.

In addition, the parameters (for example, L, M, g, α, β,
γ, ε, x ′, y ′, z ′, s _i , u _i , P, Q, etc.)
May be secretly stored inside the key generation center 101 or may be discarded. Note that, for example, if M is selected so that δ and ε each include a large prime factor in the factor, and the prime factorization of M is difficult, the M can be disclosed. Also, r _i and t _i are r _i = i for each i.
It may be a t _i, this time the key generation center 101 may be stored to the m the one.

A certain user (here, user A)
However, when joining the cryptographic communication system of this specific example, the user A inputs his / her own ID information X (A) to the key generation center 101. The key generation center 101 internally stores the following equation (6),
The calculation of (7) is performed, and the secret information Y (A) that the user A keeps secret is output and delivered to the user A secretly. As a method of delivering the information secretly, there is a method of storing data in an IC card and mailing the data.

Y (A) is obtained by arranging G _f (A) and G _h (A), and is generated by the following calculation inside the key generation center 101. Y (A) = (G _f (A), G _h
(A)) G _f (A) = G ＾ ｛x ＾ F (X (A)) + y ＾ H (X (A))｝ (mod. N) (6) G _h (A) = G ＾ ｛ y ^ F (X (A) ) + z ^ H (X (A))} (mod. N) ... (7) where, F, H is the f _i, h _i, and, r _i, t
It is a function such as the following equations (8) and (9) using _i .

[0105] _{F (X) = Σ i {} r i f i (X)} ... (8) H (X) = Σ i {t i h i (X)} ... (9) However, sigma _i is i = Represents the sum from 0 to m-1.

Similarly, the other users (here, user B) also have their own ID information X (B) when joining the system.
Is input to the key generation center 101, and the secret information Y (B) secretly stored by the user B obtained by the calculation inside the key generation center 101 is received.

Note that the key generation center 101 calculates the equation (6),
Exponent part of G of (7) (for example, x ＾ F (X (A)) + y
The operation of ＾ H (X (A)) can also be performed under the remainder by the modulus δ.

[0108] Next, the user A receives the I
D information X (B) and Y received from key generation center 101
(A) owned by user A, common key generation apparatus 102-A
To enter. The common key generation device 102-A performs the following operation and outputs a common key K (A, B). K (A, B) = G f (A) ^ {Π i [e i ^ f i (X (B))]} · G h (A) ^ {Π i [d i ^ h i (X (B ))]} (mod.N) ... (10) However, [pi _i represents the product from i = 0 to m-1.

[0109] Similarly, the user B
Using -B, K (B, A) = G f (B) ^ {Π i [e i ^ f i (X (A))]} · G h (B) ^ {Π i [d i ^ h _i (X (A))]｝ (mod.N) (11) where Π _i represents a product from i = 0 to m−1. Get.

In the operations of the expressions (10) and (11), the value of the operation such as Π _i [e _i ＾ f _i (X (B))] is very large. It is possible to calculate a ＾ ｛bc｝ ≡ ｛a ＾ b (mod.N)｝ ＾ c (mo
d. N) That is, the product in the exponent part is a repetition of exponentiation, and the remainder by modulo N is obtained for each exponentiation.

When the output of f _i or h _i becomes 0, e _i ＾ f _i (X (B)) = 1, so that e _i ＾
The exponentiation processing by f _i (X (B)) becomes unnecessary. In particular, when n = 2, that is, when the output of each f _i and h _i is only 0 or 1, in an operation such as e _i ＾ f _i (X (B)), f _i (X (B )) Is unnecessary.

On the other hand, when M is provided as a part of the public information T, an operation such as Π _i [e _i ＾ f _i (X (B))] in equations (10) and (11) is performed. Can be performed under the remainder of the modulus M.

By expanding the equations (10) and (11), K (A, B) = (g ＾ γ) ＾ ｛x ＾ [F (X (A)) + F (X (B))] + y {[H (X (A)) + F (X (B))] + y {[F (X (A)) + H (X (B))] + z} [H (X (A)) + H (X (B ))]｝ (Mod.N) (12) K (B, A) = (g ＾ γ) ＾ ｛x ＾ [F (X (B)) + F (X (A))] + y ＾ [H ( X (B)) + F (X (A))] + y {[F (X (B)) + H (X (A))] + z} [H (X (B)) + H (X (A))]} (Mod.N) (13), and the keys generated by the user A and the user B with the respective common key generation devices 102 match. In the process of generating the common key, no information is exchanged between the user A and the user B, and the shared key K (A, B), K (B, A)
Can not lead. Therefore, the user A and the user B secretly share a common key for encrypted communication without communication.

Next, the user A sends the symmetric key generation device 102-
The K (A, B) output from A is input to the encryption device 103, and the communication data is encrypted, and the user B is encrypted via the communication path.
Send to User B inputs K (B, A) output from common key generation apparatus 102-B to decryption apparatus 104,
Decrypts the encrypted data received from the encryption device 103,
Output. Since the users other than the user A and the user B do not know the encryption key used in the encryption device 103, it is safe even if the data flowing on the communication path is intercepted by a third party.

<Embodiment 2> FIG. 3 is a configuration diagram of Embodiment 2 of the cryptographic communication system. Here, the cryptographic communication system of the first specific example shown in FIG. 1 is different in that a random number generation device 305 is added and a random number is added to the input of the common key generation device. The common key generation devices that receive random numbers are 302-A and 302-B.

User A and user B are in key generation center 1
The operation from 01 to the acquisition of the respective confidential information Y (A) and Y (B) is the same as that of the first embodiment, and the description is omitted here. Next, the random number generator 305 of the user A generates a random number R. The random number generator 305
Generate a different random number each time. The user A transmits the secret information Y (A) received from the key generation center 101, the ID information X (B) of the user B, and the random number R generated by the random number generation device 305 to the common key generation device 302-A. To enter. The common key generation device 302-A performs the following operation to perform the common key K (A,
B) is generated.

[0117] K (A, B) = G f (A) ^ {Π i [e i ^ f i (X (B))]} · G h (A) ^ {Π i [d i ^ h i ( However X (B))]} + R (mod.N) ... (14), Π i represents the product from i = 0 to m-1.

The random number R is transmitted to the user B via a communication path. The user B generates the common key K (B, A) by performing the following operation in the common key generation device 302-B.

[0119] K (B, A) = G f (B) ^ {Π i [e i ^ f i (X (A))]} · G h (B) ^ {Π i [d i ^ h i ( X (a))]} + R (mod.N) ... (15) However, [pi _i represents the product from i = 0 to m-1. Obviously, K (A, B) = K (B, A).

The method of generating the common key K (A, B) or K (B, A) in the specific example 2 is based on the formula (1
0) or the addition of R to the right-hand side of equation (11) can be modified to various generation methods for performing an operation dependent on both the calculation result of the right-hand side of equation (10) or equation (11) and R. . That is, in addition to the configuration in which R is added to the right side of Expression (10) or Expression (11), the common key may be generated by various configurations such as multiplication of R.

In the specific example 1, the user A and the user B
Are the same each time, but in the specific example 2, a different common key is shared between the user A and the user B every time key sharing is performed.

[Brief description of the drawings]

FIG. 1 is a configuration diagram of a specific example 1 of a cryptographic communication system of the present invention.

FIG. 2 is a configuration diagram of a conventional cryptographic communication system.

FIG. 3 is a configuration diagram of Example 2 of the cryptographic communication system of the present invention.

[Explanation of symbols]

101 key generation center 102-A, 102-B, 302-A, 302-B common key generation device 103 encryption device 104 decryption device 305 random number generation device

Claims (36)

[Claims] In a cryptographic communication system in which an encryption device and a decryption device encrypt and decrypt communication data using the same common key, public information T commonly used by each user is output. In addition, when an arbitrary user is set as the user A, the user A
Against the public key X (A) of the user A,
(A), a secret key Y (A) of the user A, a public key X (B) of a user B as a communication partner of the user A, and the public information T. , The common key K between these users A and B
A cryptographic communication system comprising: a common key generation device that outputs (A, B). 2. The key generation center according to claim 1, wherein the key generation center includes values N, G,
A cryptographic communication system wherein an operation using δ is used for generating a secret key Y (A) or generating public information T.
For any k> 0, G ＾ (δ + k) ≡G ＾ k (mod.N) (1) where ＾ represents a power operation, and a≡b (mod.q)
Represents that a and b are congruent modulo q. 3. The cryptographic communication system according to claim 2, wherein the key generation center or the common key generation device performs a process including a remainder operation modulo N. 4. The cryptographic communication system according to claim 2, wherein the key generation center performs a process including a power of G. 5. The key generation center according to claim 1, wherein the key generation center calculates an equation (2) for an arbitrary value δ.
Or two values x and y or y satisfying the relationship of equation (3)
A cryptographic communication system characterized in that an operation using と and z is used for generating a secret key Y (A) or generating public information T. xy≡0 (mod. δ) (2) yz≡0 (mod. δ) (3) 6. The key generation center according to claim 5, wherein (x + y) or (y + z)
A cryptographic communication system using an operation including an arbitrary power of y) or an arbitrary power of (y + z) for generating the public information T. 7. The cryptographic communication system according to claim 5, wherein the key generation center performs a process including an operation of raising x and y or y and z to the power. 8. The cipher according to claim 7, wherein the key generation center performs a process including an operation of adding a term including a result obtained by raising x and y or y and z to powers. Communications system. 9. The key generation center according to claim 2, wherein the key generation center uses an operation including a remainder operation modulo a multiple of δ for generation of the secret key Y (A) or generation of the public information T. Encryption communication system. 10. The cryptographic communication method according to claim 4, wherein the key generation center performs, as a power-of-G operation, an operation of an exponent used for the power-of-G operation under a remainder by a modulus δ. system. 11. The public information T according to claim 2, wherein the key generation center uses any multiple of δ
A cryptographic communication system characterized by generating 12. The key generation center according to claim 6, wherein the key generation center includes an operation of adding a term including any power of (x + y) or any power of (y + z) and a term including any multiple of δ. A cryptographic communication system, wherein a process is used for generating public information T. 13. A cipher according to claim 12, wherein the key generation center outputs e _i or d _i obtained by the operation shown in Expression (4) or Expression (5) by including it in public information T. Communications system. e _i = where _{(x + y) ^ r i} + s i δ (mod.M) ... (4) d i = (y + z) ^ t i + u i δ (mod.M) ... (5), M is any of δ It is a multiple. Also, r _i s
_i , t _i , and u _i are arbitrary numbers. 14. The cryptographic communication system according to claim 2, wherein the key generation center outputs an arbitrary multiple of δ included in the public information T. 15. The encryption device according to claim 14, wherein the common key generation device uses a process including a remainder operation modulo an arbitrary multiple of δ for generation of the common key K (A, B). Communications system. 16. The cryptographic communication system according to claim 1, wherein the key generation center or the common key generation device includes a one-way function operation unit as a component. 17. The cryptographic communication system according to claim 16, wherein the key generation center or the common key generation device includes two or more types of one-way function calculation means as constituent elements. 18. The method according to claim 1, wherein the public key X (A) of the user A is used as ID information for another user to uniquely specify the user A. Encryption communication system. 19. The method according to claim 1, wherein the key generation center or the common key generation device obtains a predetermined value from a user A's public key X (A) or a result calculated based on the public key X (A). A cryptographic communication system comprising processing means for obtaining m outputs as values. 20. The method according to claim 19, wherein the key generation center or the common key generation device calculates an input result of the user A based on the public key X (A) or the public key X (A) of the user A in an n-ary number. A cryptographic communication system comprising means for obtaining a predetermined m digits when represented as m outputs. 21. The cryptographic communication system according to claim 19, wherein the processing means for obtaining m outputs are each a binary output. 22. The cryptographic communication system according to claim 19, wherein the processing means for obtaining predetermined m outputs from the input public key X (A) of the user A has one-way characteristics. 23. The key generation center according to claim 3, 4 or 8, wherein the key generation center sets the secret key Y (A) for the public key X (A) of the user A to the equation (6) or the equation (7). A cryptographic communication system for outputting information including a calculation result of G _f (A) or G _h (A) generated by the calculation of (a). G _f (A) = G ＾ ｛x ＾ F (X (A)) + y ＾ H (X (A))｝ (mod.N) (6) G _h (A) = G ＾ ｛y ＾ F ( X (A)) + z ＾ H (X (A))｝ (mod.N) (7) where F and H are predetermined functions for the public key X (A). 24. The key generation center according to claim 23, wherein the public key X (A) of the user A is
G generated by the operations of Expressions (6) and (7)
A pair of _f (A) and G _h (A) is defined as a secret key Y (A) = (G _f
(A), _Gh (A)). 25. The key generation center according to claim 19, wherein the m number of outputs output for a certain public key X are represented by f _i (X) (0 ≦ i <m) or h _i (X)
(0 ≦ i <m), these f _i (X) or h
A cryptographic communication system characterized by using a function F or H as in equation (8) or equation (9) using _i (X). _{F (X) = Σ i {} r i f i (X)} ... (8) H (X) = Σ i {t i h i (X)} ... (9) However, sigma _i from i = 0 m Represents the sum up to -1. Here, f _i (X) and h _i (X) (0 ≦ i <m) are m outputs output for the public key X, respectively. Each of the m r _i t _i (0 ≦ i <m) is arbitrary. 26. The key generation center according to claim 23, wherein the function F or H in the equation (6) or (7) uses a function of the following equation (8) or (9). Cryptographic communication system. _{F (X) = Σ i {} r i f i (X)} ... (8) H (X) = Σ i {t i h i (X)} ... (9) However, sigma _i from i = 0 m Represents the sum up to -1. Here, f _i (X) and h _i (X) (0 ≦ i <m) are m outputs output for the public key X, respectively. Each of the m r _i t _i (0 ≦ i <m) is arbitrary. 27. The key generation center according to claim 13, wherein the key generation center uses m r _i (0 ≦ i <m) or t _i (0 ≦ i <) used in the calculation of the following equation (8) or equation (9).
m), m e _i (0 ≦ i <m) or d _i (0 ≦ i <m) obtained by the calculation of Expression (4) or Expression (5)
Is output in the public information T. _{F (X) = Σ i {} r i f i (X)} ... (8) H (X) = Σ i {t i h i (X)} ... (9) However, sigma _i from i = 0 m Represents the sum up to -1. Here, f _i (X) and h _i (X) (0 ≦ i <m) are m outputs output for the public key X, respectively. Each of the m r _i t _i (0 ≦ i <m) is arbitrary. 28. The method according to claim 1, wherein the common key generation device of any user A performs a process including an operation for raising the information obtained as the secret key Y (A) of the user A or a partial information thereof to the power. An encryption communication system characterized by performing. 29. The apparatus according to claim 1, wherein the common key generation device of any user A converts a plurality of pieces of partial information of the information obtained as the secret key Y (A) of the user A into
A cryptographic communication system that performs a process including a product operation of a result of a predetermined operation process. 30. The method according to claim 28, wherein the exponent of the exponentiation operation is e _i or d _i which is the operation result of the following equation (4) or (5) included in the public information T.
A cryptographic communication system characterized in that a common key is generated using a result obtained by performing an operation based on a secret key. e _i = where _{(x + y) ^ r i} + s i δ (mod.M) ... (4) d i = (y + z) ^ t i + u i δ (mod.M) ... (5), M is any of δ It is a multiple. Also, r _i s
_i , t _i , and u _i are arbitrary numbers. 31. The common key generation device according to claim 19, wherein the user A having the common key generation device
Partial information G _f (A) included in the secret key Y (A) of
, G _h (A) and m pieces of e _i , d _i (0 ≦ i <m) included in the public information T, and the public key X (B ), M outputs f _i (X (B)) and h _i (X (B)) (0 ≦
A cryptographic communication system characterized in that a common key K (A, B) is generated by an operation of the following equation (10) using a process of obtaining i <m). K (A, B) = G f (A) ^ {Π i [e i ^ f i (X (B))]} · G h (A) ^ {Π i [d i ^ h i (X (B ))]} (mod.N) ... (10) However, [pi _i represents the product from i = 0 to m-1. Here, G _f (A) and G _h (A) are two pieces of partial information included in the secret key Y (A), f _i (X (B)) and h _i (X
(B)) (0 ≦ i <m) are m outputs for the public key X (B), respectively. 32. The key generation center according to claim 1, wherein N representing the relationship of the following equation (1) and m pieces of e _i , d obtained as calculation results of the following equations (4) and (5) are provided. _i (0 ≦ i <m) is output in the public information T, and the secret key Y (A) = (G _f (A), G _h ( A)) is generated by the calculation of the following equations (6) and (7), and the common key generation device calculates the secret key Y (A) of the user A,
Public key X (B) of user B who is the communication partner of the user
And the common key K (A,
B) generating a cryptographic communication system. For any k> 0, G ＾ (δ + k) ≡G ＾ k (mod.N) (1) where ＾ represents a power operation, and a≡b (mod.q)
Represents that a and b are congruent modulo q. e _i = where _{(x + y) ^ r i} + s i δ (mod.M) ... (4) d i = (y + z) ^ t i + u i δ (mod.M) ... (5), M is any of δ It is a multiple. Also, r _i s
_i , t _i , and u _i are arbitrary numbers. G _f (A) = G ＾ ｛x ＾ F (X (A)) + y ＾ H (X (A))｝ (mod.N) (6) G _h (A) = G ＾ ｛y ＾ F ( X (A)) + z ＾ H (X (A))｝ (mod.N) (7) where x, y, and z in equations (4), (5), (6), and (7) are It satisfies the relations of equations (2) and (3). xy≡0 (mod.δ) (2) yz≡0 (mod.δ) (3) Further, F and H are given by the following equations (8),
It is a function like (9). _{F (X) = Σ i {} r i f i (X)} ... (8) H (X) = Σ i {t i h i (X)} ... (9) However, sigma _i from i = 0 m Represents the sum up to -1. Here, f _i (X) and h _i (X) (0 ≦ i <m) are m outputs output for the public key X, respectively. K (A, B) = G f (A) ^ {Π i [e i ^ f i (X (B))]} · G h (A) ^ {Π i [d i ^ h i (X (B ))]} (mod.N) ... (10) However, [pi _i represents the product from i = 0 to m-1. Here, G _f (A) and G _h (A) are two pieces of partial information included in the secret key Y (A), f _i (X (B)) and h _i (X
(B)) (0 ≦ i <m) are m outputs for the public key X (B), respectively. 33. The symmetric key generation device according to claim 31, wherein the product at the exponent part of the exponentiation operation of G _f (A) or G _h (A) in equation (10) is calculated under the remainder of the modulus N. A cryptographic communication system wherein the calculation is performed by repeating powers of. 34. The symmetric key generation apparatus according to claim 33, wherein f _i (X
(B)) or when the output of the h _i (X (B)) was _{0, e i ^ f i (} X (B)) or d _i ^ h _i (X
(B) An encryption communication system characterized by omitting exponentiation processing using exponent as an index. 35. The symmetric key generation device according to claim 34, wherein f _i (X
(B)) or the output of h _i (X (B))
A binary output _{of, e i ^ f i (X} (B)) or d _i ^
The exponentiation process using h _i (X (B)) as an exponent is omitted when the output value is 0, and the exponentiation process is performed as the exponentiation process by e _i or d _i when the output value is 1. Characterized cryptographic communication system. 36. The apparatus according to claim 1, further comprising: a random number generation device; and means for transmitting a random number generated by the random number generation device to a communication partner. A cryptographic communication system, which calculates the random number as an input in addition to a key Y (A) and a public key X (B) of a user B, and outputs a common key K (A, B).